plugin_krb5_phase1: Added few more tests

* Check that admin principals have disallow_tgt_based attribute
* Check that regular user principals have requires_pre_auth and
  disallow_svr attributes
* Check for weak crypto
    * Use kdb5_util for this
This commit is contained in:
pyllyukko 2024-02-22 11:59:02 +02:00
parent ac526be452
commit 4d5b41cb4e
2 changed files with 32 additions and 2 deletions

View File

@ -197,6 +197,7 @@
istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;;
journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;;
kdb5_util) KDB5UTILBINARY="${BINARY}"; LogText " Found known binary: kdb5_util (krb5) - ${BINARY}" ;;
kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;;

View File

@ -10,14 +10,14 @@
# PLUGIN_DESC=Kerberos
# PLUGIN_NAME=krb5
# PLUGIN_REQUIRED_TESTS=
# PLUGIN_VERSION=0.1
# PLUGIN_VERSION=0.2
#-----------------------------------------------------
#
#########################################################################
#
# Test for the prerequisites first
if [ -n "${KADMINLOCALBINARY}" ]
if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
then
PREQS_MET="YES"
# Make sure krb5 debugging doesn't mess up the output
@ -106,10 +106,39 @@
then
LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
fi
elif ContainsString "/admin@" "${I}"
then
if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
then
LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
fi
elif ContainsString "^[^/$]+@" "${I}"
then
if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
then
LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
fi
fi
done
fi
#
#################################################################################
#
# Test : KRB5-0005
# Description : Check for weak crypto
Register --test-no KRB5-0005 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
while read I J
do
LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
done << EOF
${FIND}
EOF
fi
#
#################################################################################
#